Vendor Security Requirements

Vendors that have access to Cooley data or systems must go through a data security assessment managed by our information security team. Depending on the type of data involved and the services that a Vendor is contracted to supply, Vendors that do not pass the security assessment to Cooley’s satisfaction may not be onboarded to provide services. These Vendor security requirements provide a general overview of the security obligations with which Cooley Vendors must comply. These requirements are subject to change and are not a substitute for a Vendor passing the security assessment or otherwise complying with applicable law and contracted obligations.

Vendors must comply with all applicable data privacy and protection laws. Cooley is an international legal practice with offices across the United States, and affiliated practices in the United Kingdom, European Union, China, Hong Kong and Singapore. Vendors should anticipate complying with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any binding regulations promulgated thereunder (CCPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Virginia Consumer Data Protection Act (VCDPA), the China Personal Information Protection Law (PIPL), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the Singapore Personal Data Protection Act (PDPA), the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the UK Data Protection Act of 2018, and any other applicable privacy law.

Vendors will only process or transfer personal data for the purpose of providing services to Cooley or its clients. If the Vendor is a data processor or service provider, as defined in applicable data privacy and protection laws, then Cooley may require the Vendor to enter into a data processing agreement. Vendors will at all times comply with Cooley’s written instructions regarding the processing of personal data.

Vendors will have an information security program that is implemented and maintained in accordance with industry standards. At a minimum, the Vendor’s information security program will include, but not be limited to, the following:

1. General security standards

1.1  Vendor will have or assign an authoritative member of its workforce, or will commission a reputable third-party provider, to be responsible for the management and implementation of the organization’s information security program.

1.2 Vendor will maintain formal written information security policies, procedures and standards that are kept up to date and revised whenever relevant changes are made to the systems that use or store Cooley data or Cooley client data (Cooley Data). They should be designed to:

  • Define the administrative, physical and technological controls to protect the confidentiality, integrity, availability and privacy of Cooley’s information, systems/network and Vendor systems used in providing services to Cooley.
  • Encompass secure retention, access and transmission of Cooley’s data.
  • Ensure data collected is the minimum necessary and exclusively for the purpose of providing the service.
  • Ensure data is accurate and up to date, complete and sufficient, reliable and processed in a manner that maintains its integrity.
  • Describe requirements for assessments, reassessments, monitoring and audit procedures to ensure compliance with internal policies.
  • Ensure subprocessors comply with Cooley security and privacy requirements.
  • Provide for disciplinary or legal action in the event of a violation of policy by employees or subcontractors.

1.3 Vendor’s acceptable use policies should cover and include:

  • System access
  • Passwords
  • Mobile device/bring your own device (BYOD)
  • Remote access
  • Electronic communication
  • Internet usage
  • Data and information
  • Media handling

1.4 Vendor’s security policies should cover:

  • Asset and risk management
  • Human resource security
  • Awareness and education
  • Physical and environmental security
  • Operational security
  • Privileged account management
  • Vendor and supplier management and onboarding
  • Security incident response

2. Human resources requirements

2.1 Background checks

Subject to applicable law, the Vendor will not permit any of its personnel to perform services for Cooley if such person has been convicted of, pled guilty or no contest to, or participated in a pretrial diversion program for a felony or multiple misdemeanor offenses involving crimes of dishonesty or breach of trust – including, but not limited to, fraud, theft, money laundering, embezzlement, sale, distribution of or trafficking in drugs or controlled substances, or criminal conspiracy.

Any personnel who do not successfully meet or comply with any of these requirements will not be assigned or, if applicable, will not continue in an assignment, to provide services to Cooley, and the Vendor will promptly replace such personnel at no additional charge to Cooley.  Any replaced personnel will be prohibited from accessing any information or data relating to Cooley.

The Vendor will conduct background checks to enforce these provisions or submit to have these checks conducted by Cooley. 

2.2 Employee confidentiality

The Vendor will ensure that employees sign confidentiality agreements with the Vendor.

2.3 Employee training

Vendor will train employees, contractors and consultants, as applicable, on security awareness at the time of onboarding and thereafter at least annually. Training topics shall include but not be limited to:

  • Secure logon procedures
  • Best password practices
  • Identifying malicious and phishing emails
  • Reporting a security incident
  • Data-handling procedures

3. Risk management program

The Vendor will maintain a risk management program that aligns with ISO 27005, ISO 31000, NIST 800-37 or NIST 800-53. This includes at a minimum:

  • Annual risk reviews
  • Documentation on risk decisions
  • Senior leadership approval of risk mitigations and acceptance

4. Business continuity and disaster recovery

Vendor will maintain appropriate business continuity planning (BCP) and develop a disaster recovery plan (DRP) to adequately respond to and recover from business interruptions involving services provided to Cooley, to include:

  • Employing high-availability systems, backup services, data replication and redundant, co-located data centers.
  • Testing the BCP and DRP annually to ensure they are up to date and effective.

5. Incident response and data breach notification

5.1 Incident response

  • The Vendor will establish and test annually a security incident response plan to ensure all security events are evaluated and responded to appropriately.
  • The Vendor will utilize a security information and event management system to collect security logs.

The Vendor will ensure that logs are reviewed regularly by dedicated security personnel for suspicious activity.

5.2 Data breach notification

  • The Vendor will establish a data breach notification process if it learns, or has reason to believe, that any person or entity has breached or attempted to breach its security measures or gained unauthorized access to Cooley Data.
  • The Vendor will promptly notify Cooley’s information security team, without undue delay, and in any event no later than 24 hours upon becoming aware of a data breach.
  • The Vendor will investigate, remediate and mitigate the effect of any data security breach in cooperation with Cooley’s information security team to ensure such remediation reasonably satisfies Cooley that a data security breach will not recur.
  • Additionally, if and to the extent that any information security breach or other unauthorized access, acquisition, destruction, or disclosure of personal information occurs as a result of the Vendor’s act or omission, the Vendor should take reasonable measures, in cooperation with Cooley, to provide notice or other remedial measures to individuals affected by the breach (including credit monitoring services, fraud insurance and processes to respond to inquiries from affected individuals) as are warranted by the situation – and at the Vendor’s cost and expense.

6. Cyber insurance

The Vendor should carry cyber insurance appropriate to the type of data it processes, and as applicable to the architecture and security of its systems.

7. Information security program

Where applicable to the type of data held and the Vendor’s network and system architecture, the Vendor should establish the following:

7.1 Logical system architecture

  • The Vendor should maintain Cooley Data in hardened SOC2 Type 2 certified data centers with replication and backup to secondary data centers.
  • Regarding perimeter security, the Vendor should have a documented and fully implemented data security program to protect data, servers and endpoints on its network using a variety of security controls – including next-generation firewalls, web-filtering gateways, email gateways, honeypots and targeted attack protection to block access to suspicious and malicious sites, internet protocols, emails and attachments.
  • The Vendor should maintain targeted attack protection to find and mitigate zero-day attacks through email by using URL rewrites, attachment sandboxing and email recalling.

7.2 Data controls

Where applicable to the data held, the Vendor should ensure that Cooley Data is classified, protected according to its classification, encrypted at rest and in transit, and logically separated to prevent malicious or compromised users from affecting the service or data of another service.            

  • Vendor must encrypt Cooley Data while in transit on any network or stored on any device.
  • Use of encryption products must comply with local restrictions and regulations on the use of encryption in the relevant jurisdiction.
  • Data-in-transit protection – Vendor will protect Cooley’s Data transmitting networks against tampering and eavesdropping using a combination of network protection and encryption. No unprotected HTTP connections are allowed. Transport Layer Security (TLS), the protocol underlying secure HTTPS connections, must be configured on the connecting server with a minimum of TLSv1.2 or higher with forward secrecy.
  • Data-at-rest protection Vendor will adequately protect Cooley Data at-rest networks against tampering by using Advanced Encryption Standard (AES) 256-bit encryption or higher.
  • Vendor is strictly prohibited from attempting to reidentify pseudonymized data under any circumstances. Any activities that may lead to the reidentification of pseudonymized data, including but not limited to data matching, data mining or any other forms of analysis, are expressly forbidden. Vendor must implement and maintain appropriate technical and organizational measures to prevent any attempts at reidentification.

7.3 Identity, authentication and access controls

  • Access and processing capabilities should be limited to approved, authenticated and authorized users from authorized devices.
  • The Vendor will monitor access rights to ensure they are the minimum required for the current business needs of the users, but not more than required.
  • A unique user ID with a complex password that expires after a time frame approved through the Cooley security assessment should be assigned to every authorized user and required for logging in.
  • Remote access should require two-factor authentication using tokens that randomly regenerate at designated intervals.
  • Access termination and transfer procedures must be defined for employees, consultants and contractors.
  • File integrity monitoring systems should be used to log and monitor data access, while data loss prevention systems should control the movement of data inside and outside the Vendor’s systems and networks.
  • Access and security events should be logged, and software that enables rapid analysis of user activities should be deployed.
  • Integration with third-party single sign-on identity Vendors is required.

7.4 Endpoint security

The Vendor should ensure all workstations and mobile devices are encrypted and require a password, pin or biometric access. The Vendor should only allow software authorized for business purposes to be installed on Vendor workstations, and control software development and inventories through a secure configuration manager. All mobile devices should require registration with the Vendor’s mobile device management system.

Vendor will protect Cooley’s data, and the assets storing or processing it, against physical tampering, loss, damage or seizure.

7.5 Availability

  • Vendor will monitor and document the reliability, maintainability, serviceability and availability of a system or service on a continuous basis.
  • Vendor agrees that all products or services licensed to Cooley, other than beta-stage products that are on their face clearly not subject to the same terms and conditions as final released products, will be accompanied by a service level agreement (SLA) identifying a minimum availability percentage. The Vendor furthermore agrees that if such SLA does not exist, it will ensure minimum availability of 99.99% per month.

7.6 Password policy

The Vendor will maintain and enforce a complex password policy for systems maintaining and/or accessing Cooley Data that includes:

  • Forced or initial password change
  • Minimum password length
  • Password complexity
  • Password history
  • A prohibition against shared passwords
  • Procedures for deactivating accounts and removing users after allowed thresholds
  • A multifactor authentication requirement for remote access

7.7 Vulnerability management and patching

Vendor agrees to:

  • Conduct monthly internal and external vulnerability scans
  • Conduct annual external penetration tests
  • Correct critical findings from vulnerability scans and penetration tests within 30 days
  • Apply critical patches within 14 days
  • Apply high patches within 30 days

7.8 Additional security controls

The Vendor will maintain minimum security controls applicable to:

  • Endpoint security software on all workstations and servers (i.e., anti-malware)
  • Anti-spam filters
  • Perimeter firewalls
  • Logical access controls
  • Logging of access to all client data
  • Intrusion prevention and/or detection systems
  • Security event and information management
  • Configuration and change management
  • Annual penetration test

8. Cloud file sharing

Vendor will not store or transfer Cooley Data through the use of commercial cloud file-sharing services.

9. Audits/certifications/attestations

Upon Cooley’s request with reasonable notice, the Vendor will permit technical and operational audits of the Vendor and its affiliates, related to the subject matter of the services provided or any engagement. Auditors may conduct on-site security reviews and vulnerability testing for the Vendor’s systems containing Cooley Data, and otherwise audit the Vendor’s operations for compliance with the information security requirements.

If vulnerabilities are identified, the Vendor will promptly document and implement a mutually agreed-upon remediation plan, and upon Cooley’s request, provide Cooley with the status of the implementation.

If the Vendor has a certified independent public accounting firm or other independent third party conduct and provide any of the following attestations, reviews or tests, the vendor will provide all findings to Cooley upon receipt from the third party: SOC 2 TYPE 2, ISO27001, and independent network and application penetration test.

10. Software applications or software as a service requirements

If Vendor provides software applications or software as a service (SaaS) to Cooley, it must at minimum incorporate the following:

  • Malicious code protection
    • Vendor’s software development processes and environment must protect against malicious code being introduced into its product’s future releases and/or updates.
  • Vendor must conduct static/manual application vulnerability testing for each release of the application software as defined by the OWASP top 10 and SANS top 25 standards.
  • Vendor agrees to provide, maintain and support its software and subsequent updates, upgrades and bug fixes such that the software is – and remains – secure from common software vulnerabilities.
  • Vendor software that controls access to any confidential information provided by or on behalf of Cooley under the agreement must log and track all access to the information.
  • Secure application development
    • Vendor ensures that all software has been developed following a software development life cycle process that includes industry best practices for achieving and sustaining confidentiality, integrity and availability protection.
    • Vendor has procedures in place to ensure integrity of software updates and can demonstrate that precautions are taken to ensure that any of its own or third-party or open-source software used for providing Vendor services do not contain known backdoors, viruses, trojans or other kinds of malicious code.
  • Vendor must not utilize Cooley Data in test and development environments without explicit permission from Cooley.
  • Vendor will ensure that Cooley is provided with the tools required to securely manage the service.

11. Data centers as subcontractors

Vendor must be certified against ISO 27001 as a minimum for all data center services. If data center services are subcontracted, Vendor must ensure their subcontractors are also ISO 27001 certified as a minimum requirement. In addition, Vendor must ensure its subcontractors meet Cooley’s security control requirements.